Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
What is the best way to handle encryption for passwords?
I’m trying to send a password via a NSURLRequest. The passwords are encrypted at the database level on the server.
Should I send the password over as clear text and then when it reaches the server, encrypt the password and then check if this password matches the encrypted password in the database.
Should I encrypt the password first and then just check this encrypted password matches the encrypted password in the database?
You should never send a password over an unsecured plain HTTP connection.
Using TLS (successor of SSL) as stated by j0k would be your way to go, if it’s possible you should use it whenever possible instead of inventing your own schemes. If you simply use one-way TLS/SSL (i.e. only the server authenticates itself, client stays anonymous) then you will save yourself the trouble of handling symmetric encryption keys on the client side.
If you properly set up your TLS on the server then you may simply transmit the user credentials unencrypted. TLS as a protocol handles encryption on the transport level so you as a developer need not care about it any longer.
Another thing you should probably do is not storing the passwords in encrypted form, but just storing a salted hash of them (SHA-1 or something adequate) in your database. This way you’ll never be in danger of compromising your user’s passwords.